Add release note for fernet tokens
Let's add a release note for switching the default token provider. This will need to merge before we can make any upgrade changes to grenade for the Newton to Ocata upgrade. Change-Id: I7208bf6cb9329d6ca1f49409da44b0537c74aea9
This commit is contained in:
parent
71134fbe1c
commit
e5add63637
@ -0,0 +1,21 @@
|
||||
---
|
||||
upgrade:
|
||||
- The default token provider has switched from UUID
|
||||
to Fernet. Please note that Fernet requires a
|
||||
key repository to be in place prior to running Ocata.
|
||||
This can be done using ``keystone-manage fernet_setup``.
|
||||
Documentation can be found `here <http://docs.openstack.org/developer/keystone/man/keystone-manage.html>`_.
|
||||
In addition, for multi-node deployments, it is imperative that
|
||||
a key distribution process be in use before upgrading. Once
|
||||
a key repository has been created it should be distributed
|
||||
to all keystone nodes in the deployment. This ensures that
|
||||
each keystone node will be able to validate tokens issued
|
||||
across the deployment. If you do not wish to switch token
|
||||
formats, you will need to explicitly set UUID as the token
|
||||
provider for each node in the deployment using
|
||||
``[token] provider = uuid`` in your ``keystone.conf``.
|
||||
critical:
|
||||
- If upgrading to Fernet tokens, you must have a key
|
||||
repository and key distribution mechanism in place.
|
||||
Otherwise token validation may not work. Please see
|
||||
the upgrade section for more details.
|
Loading…
Reference in New Issue
Block a user